Mike West
works and plays on the internet. Currently working as a Developer
Advocate on Google's Chrome team in Munich, he helps develop websites
and applications that (on good days) delight and inform. Drop me an
email at
mike@mikewest.org
follow me on
Twitter
or circle me on
Google+

6 articles and links tagged with “contentsecuritypolicy”

I had the distinct pleasure of talking with folks at this year’s CSSConf EU about the dangers of content-injection attacks. They’re not just for JavaScripters, you see: CSS is dangerous too! They’ve just posted the video, and I think it’s worth a little under a half-hour of your time to skim through.

Last week, I was in Zürich to chat about client-side security. Here, I’ve wrapped up an annotated transcript, along with the slides and video. I’m pretty happy with how the talk turned out: I think it’s a good representation of what I think is important in frontend security, and worth your time to peruse.

At the end of last year, I presented ‘Securing the Client Side’ at Devoxx, and I’ve been meaning to put together a more accessible version of the talk for those who weren’t there. I think the topics are important, and worth the effort of updating this site for the first time in a year. cough.

AngularJS has recently implemented support for Content Security Policy that restricts the use of eval(), new Function(), and other such text-to-JS conduits. This is a huge win, as CSP is one of the best protections modern browsers provide against XSS attacks. However, Angular’s implementation reveals a need for feature detection that the spec currently doesn’t address. This is my proposal for such an API.

Based on the Content Security Policy primer I wrote last week, you should have a good idea of what CSP can offer a website developer. What might not be clear is that the policies can extend beyond HTTP, a bit more deeply into the browser. Chrome offers Content Security Policy support for extensions that substantially reduce the possibility of permission leakage; this article describes how it works, and how you can use it in your extensions.

The web’s security model is fundamentally broken, and has been since the beginning. Content Security Policy is an upcoming feature of the web platform that promises to mitigate the risk of XSS attacks, and it’s worth starting to play with now.